We just have too many accounts on the web. The more we have, the riskier.
The search giant Google has launched a Chrome browser extension aimed to help users protect their online accounts from intruders. In case users' login credentials were stolen and leaked to the internet, this extension should notify them.
The extension is called 'Password Checkup', and it's triggered every time users are signing in to a website using Chrome, or entering information on forms.
Here, the extension will protect users by checking the input data with more than 4 billion credentials that have been known to be leaked in data breaches.
If it finds a match, the extension will pop up an alert, asking users to change that detail immediately.
The feature is quite similar to Troy Hunt's 'Have I Been Pwned?' service, which allows users to look up their usernames and passwords to know whether the information were leaked or stolen. But what Google did here, is wrapping that feature into an extension.
And because it works to preserve privacy, Google said that the extension is never designed to reveal users' credentials, even to Google.
As explained by members of Google's security and anti-abuse research team – Jennifer Pullman, Kurt Thomas, and Elie Bursztein. They claim that "Google never learns your username or password" eventhough it collects the data.
"At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried," the three explained in a blog post.
"At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option."
Google managed to collect the leaked information from its web crawling activities. In certain times, the search engine encounters people's sensitive credentials leaked and dumped by hackers, or left exposed by careless users.
The company here copies and encrypts those information.
With the help of Chocolate Factory in conjunction with cryptocurrency specialists from Stanford University, Google created this Chrome extension. The company hopes that users can stay safe and otherwise be warned if their credentials have been compromised.
The extension is also built to prevent malicious actors that somehow breached into users' system to gain access to the stored information.
This is done by encoding the credentials to then query Google's database of unsafe passwords for match candidates using the two-byte index. Google returns the set of encrypted hashes that share that anonymous prefix to be compared on the users' local machine to the encrypted hash of the user's current username and password.
Google is looking forward to improve the extension over time, and is also hoping to bake the extension directly inside Chrome in the future, so more users can benefit from the feature.
But if users are still worried their information collected by Google, as the extension can read and change site data on all websites, they can consider using DuckDuckGo and the Tor Browser.
Previously, competitor Mozilla also implemented similar feature to its popular Firefox browser.
Called 'Firefox Monitor', the feature checks Have I Peen Pwned? database for exposed credentials.